When calling a cross-domain service, Silverlight will check for the existence of clientaccesspolicy.xml first. This is the format defined by Silverlight and provides a pretty flexible way to define who can access what services. If not found, it will then default to look for crossdomain.xml, which is the file format implemented for Adobe Flash. It is important to note that this file will also still work for most public web services.

Another change to the Flash Player 7 framework is the use of cross-domain policy files. A policy file is a simple XML file that gives the Flash Player permission to access data from a given domain without displaying a security dialog. When placed on a server, it tells the Flash Player to allow direct access to data on that server, without prompting the user to grant access.

Probably easiest to add this file if you don't want the 404s, and decide whether or not you want to allow Flash and Silverlight access to your website without a security prompt.

Why is the convention dumb? A unified standard should be established (for both browsers and all RIA platforms), but having some way to define cross-domain request policies itself is a good idea. It gives developers more freedom while still protecting against XSRF attacks. And using an XML file to define policies seems easier to deploy than CORS.
–
Lèse majestéDec 19 '10 at 9:23

This file is requested any time a remote website script attempts to get resources from your site. See this question.
So, this means, someone is trying to leech your files - read referrers, if they are logged.